The Computer Misuse Act of 1990

The Computer Misuse Act was enacted in the wake of the high profile hack in 1988 of a mailbox belonging to The Duke of Edinburgh by Robert Schifreen and Stephen Gold.

Prestel screenshot

Prestel was a text-based interactive information system developed by the UK Post Office in the late 1970s. Users could browse numbered pages of text (similar to the contemporaneous Ceefax and Teletext information services) on their television as well as send electronic messages to other Prestel users. Prestel services were expensive and the system did not become widely used, although Prestel technology was sold to many other telecom companies. Prestel was gradually sold off in the early 1990s as the internet became available to domestic users.

When they gained access to the login details of 50,000 Prestel customers they were unable to be properly prosecuted as no relevant legislation existed. Instead they were tried (and acquitted) of forgery – the conviction was overturned by higher courts who concluded that the Forgery and Counterfeiting Act 1981 had never been intended to be used for this purpose. In 1990 the Computer Misuse Act was introduced to plug this legislative loophole and make it illegal to gain improper access to a computer.

The Act makes it an offence to access any computer to which you do not have an authorised right to use. Note the provisions that state that the attempt does not need to have a specific target. These provisions make it unlawful, for example, to run port scanners in an attempt to find insecure computers. Note that this applies to English law. Under Scottish law computer intrusion is covered under common law related to deception.

The Act introduced three criminal offences:

Unauthorised access to computer material.

Unauthorised access with intent to commit or facilitate commission of further offences.

Unauthorised modification of computer material

Note that ‘unauthorised’ in this context means that the attacker must be aware that they are not intended to use the computer in question. So using another person’s account details, or breaking in to a computer by a password attack are clearly unauthorised use of the computer.

Late in 2006 the Computer Misuse Act was amended by the Police and Criminal Justice Act. The revised act combines the above Section 1 and Section 2 offences into a revised Section 1 and adds a new Section 3A offence of “Making, supplying or obtaining articles for use in computer misuse offences“. New offences included denial of access or denial of service to legitimate users (making denial of service attacks a criminal offence in the UK), and criminalising the creation and supply of software and hardware that might aid an attack on a computer.

The CMA has been successfully used in a wide range of criminal cases including denial of service attacks against Kent Police, Oxford University, the United States Air Force, the CIA, Sony and Nintendo; fraudulent activities in online games; illegal access and disclosure of confidential emails and personal information; theft from online banks; stalking; hoax calls to emergency telephone numbers and piracy.